The EU GDPR compliance requirements call for certain organisations to appoint a data protection officer (DPO). Even where such an appointment is not mandatory, it is often still advisable for organisations processing personal data to appoint one. The European Data Protection Board, formerly the Article 29 Working Party, has advised that DPOs are the cornerstone for organisations in terms of GDPR compliance and must be involved in all issues concerning the protection of personal data in an organisation at the earliest opportunity. DPOs may be internal or external and due to the critical role they play, the GDPR requires that the DPO be allowed to exercise their functions independently. So, what exactly is the role of a DPO and why is it necessary for them to be independent?
Responsibilities of the DPO
The DPO is responsible for tracking GDPR compliance requirements of the organisation such as collecting information to identify the processing activities taking place, ensuring those activities satisfy the GDPR principles and advising the controller or processor accordingly. As such, the DPO plays a central role in record-keeping concerning data protection in the organisation. They must create inventories and registers that detail the personal data processing operations of the organisation’s various departments. Clearly, these records are necessary both for the organisation to comply with its overarching accountability obligations and for the DPO to perform their functions.
The DPO also plays an important role in advising on issues concerning data protection impact assessments (DPIAs). The DPO should advise on whether or not to carry out a DPIA, what methods should be used and whether it is necessary to engage outside resources to do so. Upon completion of the DPIA, the DPO should advise on whether it has been carried out satisfactorily and how to proceed in view of its findings. If, for instance, significant risks have been identified in some processing operations, they should advise on whether those operations should be abandoned or if not, and what safeguards should be put in place to ensure compliance is achieved.
The DPO is the link between the organisation, the Supervisory Authorities and the data subjects. They facilitate access to documents and information by the Supervisory Authority to enable it to perform its monitoring role, as well as exercise its investigative, corrective, authorisation and advisory powers. It should be noted that the fact that the DPO is bound by confidentiality obligations in the performance of their tasks does not preclude them from seeking advice from the Supervisory Authorities when necessary. In some situations, a careful balance needs to be struck between these two priorities. The DPO is also the contact point for data subjects on issues relating to the processing of their data, including enforcing their rights as provided for under the GDPR. It is important that the DPO can be easily accessed by the data subjects whether through telephone, mail or otherwise. Additionally, the DPO should advise and train employees of the organisation on compliance with the GPDR.
In the performance of their duties, the DPO is required to adopt a pragmatic approach by focusing on high-risk processing activities. This should be done without neglecting activities that may be deemed to pose lower levels of risk. In this duty, the DPO should therefore advise the controller on the methodology of the DPIA, which activities require data protection audits and which ones should be the focus of management regarding enhanced security measures, regular training of staff and resource allocation.
The importance of DPO independence
The GDPR envisages that the DPO performs their work in an independent manner. In other words, the controller should not direct the DPO regarding how they do their work. For example, the DPO cannot be instructed to reach a particular conclusion concerning the investigation of a complaint. The DPO should report to the highest level of management; ideally, the Board of Directors. This is intended to ensure compliance with the regulations in the sense that management receives timely advice on matters of data protection.
To achieve the autonomy required by the GDPR, the DPO must be given some form of job security and cannot be dismissed or penalised by the controller or processor as a result of carrying out their duties. This does not mean that the DPO enjoys permanent job security as they may be disciplined or even terminated for other legitimate reasons, such as gross misconduct. Additionally, they must be given the necessary resources to perform their duties and to achieve the desired independence. The scale of these depends on the complexity and sensitivity of the processing activities but would typically include budget, equipment and staff.
Finally, care must be taken not to compromise the autonomy of the DPO by putting them in a position that may lead to a conflict of interest. This is more likely in cases where the DPO is internal. While it is permissible to assign the DPO with other tasks these should, for instance, not require them to determine the means and purposes of processing the data, as this blurs the role with that of the controller.
Conclusion
It has been accurately observed that the DPO is the manifestation of the Supervisory Authority in an organisation. The importance of the DPO in achieving GDPR compliance requirements cannot be overstated; however, the DPO is not personally liable for non-compliance, as overall responsibility lies with the data controller. Any decision not to appoint a DPO must be signed off at a senior level in the organisation. In addition, failing to appoint a DPO where one is required may attract a fine of €10 million or 2% of annual global turnover, whichever is higher.
To achieve the strict obligations imposed on controllers and indeed processors under the GDPR, it is important that organisations processing personal data, empower and embrace their DPOs and work closely with them, as opposed to viewing them as ‘nosy night watchmen’.
By Dyann Heward-Mills. This article was originally published on 27 August 2019 on the IAPP’s website.
